BKSCNCMP.RVW 930806 Prentice Hall, Inc. 11711 N. College Ave. Carmel, IN 46032-9903 800-428-5331 "Security in Computing", Pfleeger, 1989 pfleeger@ida.org (pfleeger@tis.com?) This work is very obviously a textbook: the attempts to target it at a "professional" audience are unconvincing. As a textbook, though, it succeeds quite well. It addresses a full range of computer security related topics. The level of detail in the different areas varies greatly, but the shortcomings of the book should be addressed in the hands of a competent teacher. "Security in Computing" may have a place on some professional bookshelves. While the "big iron" bias and lack of practicality would not suit it to the system administrator or programmer, the manager of information services for a large concern may find the conceptual background helpful. The fifteen chapters in the book are not divided into parts, but seem, in some cases, to come in chunks. The introductory chapter is a clearly laid out overview of the most basic concepts involved with system security. Then come three chapters dedicated to encryption, with great amounts of detail devoted to them. Chapter five very briefly covers security related to programs (both malicious and "careless" software), then two chapters are devoted to operating system software. This is followed by independent chapters on, in turn, data base, personal computer, network, communications, and physical security. Finally, three chapters discuss management type issues: risk analysis, legal issues and ethics. As mentioned, the content level of various topics ranges from terse to excruciating. The coverage of encryption is excellent: viral programs are left almost completely undefined. (This is possibly understandable, given the copyright date of 1989.) Operating systems are dealt with broadly but thoroughly: personal computers suffer greatly from the lack of willingness to address issues on a practical level. The management topics would also benefit from further discussion. (In a classroom setting, it would be wise to "import" some local CIOs at this point to add depth.) As usual, the "legal" issues all relate only to American law. The ethics chapter starts off well, but then flounders on the shoals of relativism. It is interesting that nowhere does the book talk about the importance of user training. Instructors will want to use the book for background, but will also need to make use of additional materials, and a lot of discussion. The "exercises" at the end of each chapter should not simply be "assigned"; they are very open- ended and more properly should be used in a dialogue situation. Generally the book is quite dependable in its accuracy, but there are traps (such as the assertion that fiber optic cable cannot be "tapped"). copyright Robert M. Slade, 1993 BKSCNCMP.RVW 930806 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag